Get email notifications on new entries

I have set up a honeypot in one of our segments. When someone logs into it, it logs the credentials into a log file. Using filebeat, I ship the new entries from the log to the elastic stack which looks like that on the dashboard.

Since I was given a 0 budget, is there a way to have the elastic stack send an email when that dashboard gets a new entry within the free tier? If not, is there a way to have the Linux OS send a notification when the log file gets a new entry with something like Postfix or Sendmail?

Huge thanks ahead.

There is no way of doing it directly from Elasticsearch from the free tier. But I feel your pain with the 0 budget and I will suggest this:

  1. Use something like Python to send the emails: https://realpython.com/python-send-email/
  2. Setup a script to run in the background that queries Elasticsearch (there is a ES Python client that is easy to use) and sends an email when the number of documents in your filebeat indices has increased from the last query.

Thanks for the response!

I've ended up adding the following to my logstash config:

# If our honeypot (called cowrie) gets someone, send me an email

if [log][file][path] =~ "cowrie.json" {
    if [message] =~ "^New connection" {
    email {
      from => 'honeypot-entries@companyname-elk.net'
      to => 'john@companyname.net'
      subject => 'Honeypot Alert'
      body => "Someone interacted with the honeypot!\nDetails: %{message}\nClick here to view the dashboard."
      domain => 'mail.company.net'
      port => 25
    }
  }
}

It works perfectly, now my only problem is settings up the body of the email. I can't seem to create hyperlinks like this. I was suggested to use htmlbody instead of html but I wasn't able to find how to set a new line since variables are defined in one line.

Basically, all I'm trying to achieve is an email that would look like this:

New honeypot entry!
*details*
for  successful and failed logins dashboard, click here <- clickable
for command history logins, click here <- clickable
for "suspicious activity" dashboard, click here <- clickable